Solutions
Archived

Required callback not found in JSON response when authenticating to AM 5

Last updated Nov 2, 2021

The purpose of this article is to provide assistance if you receive either a "Required callback not found in JSON response" message or an "Incorrect number of callbacks found in JSON response" message when authenticating to AM in a load balanced environment that does not use session stickiness (amlbcookie). This error occurs when you are using the XUI in a multi-server setup without sticky load balancing and authentication to a chain takes place across multiple servers.


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

One of the following responses is shown if you use a REST call or examine network traffic using your browser's Developer Tools:

{"code":400,"reason":"Bad Request","message":"Required callback not found in JSON response"} {"code":400,"reason":"Bad Request","message":"Incorrect number of callbacks found in JSON response"}

The corresponding error is also shown in the Authentication debug log:

  • Required callback not found in JSON response: amAuthREST:10/11/2016 10:07:23:816 AM GMT: Thread[http-bio-8080-exec-8,5,main] AuthenticationService.authenticate() :: Rest Authentication Exception org.forgerock.openam.forgerockrest.authn.exceptions.RestAuthException: Required callback not found in JSON response   at org.forgerock.openam.forgerockrest.authn.RestAuthCallbackHandlerManager.handleJsonCallbacks(RestAuthCallbackHandlerManager.java:149)    at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.handleCallbacks(RestAuthenticationHandler.java:304)    at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:235)    at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:160)    at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.continueAuthentication(RestAuthenticationHandler.java:109)    at org.forgerock.openam.forgerockrest.authn.restlet.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:127)
  • Incorrect number of callbacks found in JSON response amAuthREST:10/11/2016 10:07:23:816 AM GMT: Thread[http-bio-8080-exec-2,5,main]: TransactionId[1a9f4c3c-01ac-8219-1234-693e9d8d7846-717] AuthenticationService.authenticate() :: Rest Authentication Exception org.forgerock.openam.core.rest.authn.exceptions.RestAuthException: Incorrect number of callbacks found in JSON response   at org.forgerock.openam.core.rest.authn.RestAuthCallbackHandlerManager.handleJsonCallbacks(RestAuthCallbackHandlerManager.java:134)    at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.handleCallbacks(RestAuthenticationHandler.java:317)

Recent Changes

Implemented or changed your load balancing configuration so that it does not have session stickiness.

Causes

If you use XUI, sticky load balancing is a requirement if you have multiple authentication modules in an authentication chain. This is a known issue: OPENAM-8336 (XUI+REST authentication with chains must have sticky load balancing). Without sticky load balancing, the load balancer may not send the request to the right AM server, which causes this error.

This error occurs in several other situations, not just when using two authentication modules in a chain. This includes when a user changes a password when their password has expired, see OPENAM-9263 (Password Reset results in "Incorrect number of callbacks found in JSON Response" with LB)

Solution

This issue can be resolved using one of the following options as appropriate to your environment:

  • Implement sticky load balancing using the amlbcookie. See FAQ: Cookies in AM for further information on using the amlbcookie for load balancing.
  • Configure AM to use http and terminate SSL at the load balancer.
  • Configure the load balancer to terminate SSL and re-encrypt instead of using passthrough for SSL if https is required on all traffic.
  • Add another component (such as HAProxy) between the load balancer and AM that can do SSL offloading (and re-encryption if needed) instead of the load balancer.
  • Use Active/Passive configuration for the AM nodes; providing each node can handle the traffic volume, you will still have failover but ensure traffic is routed to the correct server.
  • Upgrade to AM 6 or later; you can download this from BackStage. You can then migrate to authentication trees and configure the storage location for authentication sessions so they are not stored in memory. See the following links for further information:

See Also

401 Unauthorized: Session has timed out response when authenticating to AM (All versions)

FAQ: Cookies in AM

Setup Guide › Load Balancers

Sessions Guide › Choosing Where to Store Sessions

Related Training

N/A

Related Issue Tracker IDs

OPENAM-9263 (Password Reset results in "Incorrect number of callbacks found in JSON Response" with LB)

OPENAM-8336 (XUI+REST authentication with chains must have sticky load balancing)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.